ng-attr-action and ng-attr-srcdoc allow binding to Javascript #4927

chirayuk · 2013-11-12T22:50:26Z

Ref: https://code.google.com/p/mustache-security/wiki/AngularJS#The_State_of_AngularJS_1.2.0

<html ng-app>
<head>
        <script src="https://ajax.googleapis.com/ajax/libs/angularjs/1.2.0-rc.2/angular.min.js"></script>
</head>
<body>
        <form ng-attr-action="{{'javascript:'}}alert(1)"><button>CLICK</button></form>
        <iframe ng-attr-srcdoc="{{'<img src=x onerror=alert(1)>'}}"></a>
</body>

Require bindings to form[action] to be $sce.RESOURCE_URL and bindings to iframe[srcdoc] to be $sce.HTML Closes angular#4927

Require bindings to form[action] to be $sce.RESOURCE_URL and bindings to iframe[srcdoc] to be $sce.HTML Closes angular#4927 Closes angular#4933

ghost assigned chirayuk Nov 12, 2013

chirayuk mentioned this issue Nov 13, 2013

fix($compile): secure form[action] & iframe[srcdoc] #4933

Closed

chirayuk added a commit to chirayuk/angular.js that referenced this issue Nov 13, 2013

fix($compile): secure form[action] & iframe[srcdoc]

da766bb

Require bindings to form[action] to be $sce.RESOURCE_URL and bindings to iframe[srcdoc] to be $sce.HTML Closes angular#4927

chirayuk closed this as completed in 0421cb4 Nov 22, 2013

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

ng-attr-action and ng-attr-srcdoc allow binding to Javascript #4927

ng-attr-action and ng-attr-srcdoc allow binding to Javascript #4927

chirayuk commented Nov 12, 2013

ng-attr-action and ng-attr-srcdoc allow binding to Javascript #4927

ng-attr-action and ng-attr-srcdoc allow binding to Javascript #4927

Comments

chirayuk commented Nov 12, 2013